PERFORCE change 40100 for review
Andrew Reisse
areisse at FreeBSD.org
Tue Oct 21 16:30:04 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=40100
Change 40100 by areisse at areisse_ibook on 2003/10/21 09:29:40
some maclabel system calls
Affected files ...
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/init_sysent.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#20 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#4 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/init_sysent.c#2 (text+ko) ====
@@ -311,6 +311,15 @@
int pthread_sigmask();
int __disable_threadsignal();
+#ifdef MAC
+int __mac_get_file();
+int __mac_set_file();
+int __mac_get_link();
+int __mac_set_link();
+int __mac_get_proc();
+int __mac_set_proc();
+#endif
+
/*
* System call switch table.
*/
@@ -715,10 +724,17 @@
syss(utrace,2), /* 335 = utrace */
syss(nosys,0), /* 336 */
syss(nosys,0), /* 337 */
+#ifdef MAC
+ syss(__mac_get_file,2), /* 338 */
+ syss(__mac_get_link,2), /* 339 */
+ syss(__mac_get_proc,1), /* 340 */
+ syss(__mac_set_proc,1), /* 341 */
+#else
syss(nosys,0), /* 338 */
syss(nosys,0), /* 339 */
syss(nosys,0), /* 340 */
syss(nosys,0), /* 341 */
+#endif
syss(nosys,0), /* 342 */
syss(nosys,0), /* 343 */
syss(nosys,0), /* 344 */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#20 (text+ko) ====
@@ -93,6 +93,9 @@
#define PROC_LOCK_ASSERT(x, y)
#define M_ASSERTPKTHDR(x)
+#define PROC_LOCK(p)
+#define PROC_UNLOCK(p)
+
#if 0
#define ASSERT_VOP_LOCKED(vp,msg) \
if (vp && !VOP_ISLOCKED(vp)) \
@@ -447,7 +450,7 @@
} else \
error = sbuf_printf(&sb, ",%s/", element_name); \
if (error == -1) { \
- error = EINVAL; /* XXX: E2BIG? */ \
+ error = ENOMEM; /* XXX: E2BIG? */ \
break; \
} \
claimed = 0; \
@@ -459,7 +462,7 @@
/* Revert last label name. */ \
sbuf_setpos(&sb, savedlen); \
} else if (claimed != 1) { \
- error = EINVAL; /* XXX: ENOLABEL? */ \
+ error = ENOENT; /* XXX: ENOLABEL? */ \
break; \
} \
} \
@@ -709,6 +712,7 @@
LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
/* Per-policy initialization. */
+ printf ("calling mpo_init for %s\n", mpc->mpc_name);
if (mpc->mpc_ops->mpo_init != NULL)
(*(mpc->mpc_ops->mpo_init))(mpc);
mac_policy_updateflags();
@@ -851,9 +855,11 @@
static void
mac_init_cred_label(struct label *label)
{
-
+ printf ("mac_init_cred_label %d\n", label);
mac_init_label(label);
+ printf ("mpo_init_cred_label %d\n", label);
MAC_PERFORM(init_cred_label, label);
+ printf ("mac_init_cred_label done %d\n", label);
MAC_DEBUG_COUNTER_INC(&nmaccreds);
}
@@ -1436,8 +1442,9 @@
void
mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
{
-
+ printf ("mpo_create_cred %d %d %d\n", parent_cred, child_cred, 0);
MAC_PERFORM(create_cred, parent_cred, child_cred);
+ printf ("mpo_create_cred done\n");
}
#if 0
@@ -3433,9 +3440,16 @@
return (0);
}
+#endif
+
+struct __mac_get_pid_args
+{
+ pid_t pid;
+ struct mac *mac_p;
+};
int
-__mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
+__mac_get_pid(struct proc *td, struct __mac_get_pid_args *uap, register_t *ret)
{
char *elements, *buffer;
struct mac mac;
@@ -3456,9 +3470,11 @@
return (ESRCH);
tcred = NULL; /* Satisfy gcc. */
- error = p_cansee(td, tproc);
- if (error == 0)
- tcred = crhold(tproc->p_ucred);
+ error = 0;/*p_cansee(td, tproc);*/
+ if (error == 0) {
+ tcred = tproc->p_ucred;
+ crhold(tcred);
+ }
PROC_UNLOCK(tproc);
if (error)
return (error);
@@ -3486,12 +3502,18 @@
/*
* MPSAFE
*/
+struct __mac_get_proc_args
+{
+ struct mac *mac_p;
+};
+
int
-__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
+__mac_get_proc(struct proc *td, struct __mac_get_proc_args *uap, register_t *ret)
{
char *elements, *buffer;
struct mac mac;
- int error;
+ struct ucred *cr;
+ int error, ulen;
error = copyin(uap->mac_p, &mac, sizeof(mac));
if (error)
@@ -3502,32 +3524,42 @@
return (error);
MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
- error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
+ error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
if (error) {
FREE(elements, M_MACTEMP);
return (error);
}
+ PROC_LOCK(td);
+ cr = td->p_ucred;
+ crhold(cr);
+ PROC_UNLOCK(td);
+
MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_cred_label(&td->td_ucred->cr_label,
+ error = mac_externalize_cred_label(&cr->cr_label,
elements, buffer, mac.m_buflen, M_WAITOK);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
FREE(buffer, M_MACTEMP);
FREE(elements, M_MACTEMP);
+ crfree (cr);
return (error);
}
/*
* MPSAFE
*/
+struct __mac_set_proc_args
+{
+ struct mac *mac_p;
+};
+
int
-__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
+__mac_set_proc(struct proc *p, struct __mac_set_proc_args *uap, register_t *ret)
{
struct ucred *newcred, *oldcred;
struct label intlabel;
- struct proc *p;
struct mac mac;
char *buffer;
int error;
@@ -3555,21 +3587,17 @@
return (error);
}
- newcred = crget();
-
- p = td->td_proc;
PROC_LOCK(p);
oldcred = p->p_ucred;
error = mac_check_cred_relabel(oldcred, &intlabel);
if (error) {
PROC_UNLOCK(p);
- crfree(newcred);
goto out;
}
- setsugid(p);
- crcopy(newcred, oldcred);
+ /*setsugid(p);*/
+ newcred = crdup(oldcred);
mac_relabel_cred(newcred, &intlabel);
p->p_ucred = newcred;
@@ -3596,9 +3624,16 @@
return (error);
}
+#if 0
/*
* MPSAFE
*/
+struct __mac_get_fd_args
+{
+ int fd;
+ struct mac *mac_p;
+};
+
int
__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
{
@@ -3611,7 +3646,7 @@
struct pipe *pipe;
#endif
short label_type;
- int error;
+ int error, ulen;
error = copyin(uap->mac_p, &mac, sizeof(mac));
if (error)
@@ -3622,7 +3657,7 @@
return (error);
MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
- error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
+ error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
if (error) {
FREE(elements, M_MACTEMP);
return (error);
@@ -3702,18 +3737,25 @@
return (error);
}
+#endif
/*
* MPSAFE
*/
+struct __mac_get_file_args
+{
+ char *path_p;
+ struct mac *mac_p;
+};
+
int
-__mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
+__mac_get_file(struct proc *td, struct __mac_get_file_args *uap, register_t *ret)
{
char *elements, *buffer;
struct nameidata nd;
struct label intlabel;
struct mac mac;
- int error;
+ int error, ulen;
error = copyin(uap->mac_p, &mac, sizeof(mac));
if (error)
@@ -3724,7 +3766,7 @@
return (error);
MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
- error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
+ error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
if (error) {
FREE(elements, M_MACTEMP);
return (error);
@@ -3745,7 +3787,9 @@
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
mac.m_buflen, M_WAITOK);
- NDFREE(&nd, 0);
+ /*NDFREE(&nd, 0);*/
+ FREE_ZONE(nd.ni_cnd.cn_pnbuf, nd.ni_cnd.cn_pnlen, M_NAMEI);
+
mac_destroy_vnode_label(&intlabel);
if (error == 0)
@@ -3765,6 +3809,12 @@
/*
* MPSAFE
*/
+struct __mac_get_link_args
+{
+ char *path_p;
+ struct mac *mac_p;
+};
+
int
__mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
{
@@ -3772,7 +3822,7 @@
struct nameidata nd;
struct label intlabel;
struct mac mac;
- int error;
+ int error, ulen;
error = copyin(uap->mac_p, &mac, sizeof(mac));
if (error)
@@ -3783,7 +3833,7 @@
return (error);
MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
- error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
+ error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
if (error) {
FREE(elements, M_MACTEMP);
return (error);
@@ -3803,7 +3853,8 @@
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
mac.m_buflen, M_WAITOK);
- NDFREE(&nd, 0);
+ /*NDFREE(&nd, 0);*/
+ FREE_ZONE(nd.ni_cnd.cn_pnbuf, nd.ni_cnd.cn_pnlen, M_NAMEI);
mac_destroy_vnode_label(&intlabel);
if (error == 0)
@@ -3820,6 +3871,7 @@
return (error);
}
+#if 0
/*
* MPSAFE
*/
@@ -3880,7 +3932,7 @@
}
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = vn_setlabel(vp, &intlabel, td->td_ucred);
+ error = vn_setlabel(vp, &intlabel, td->p_ucred);
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
@@ -3921,8 +3973,14 @@
/*
* MPSAFE
*/
+struct __mac_set_file_args
+{
+ char *path_p;
+ struct mac *mac_p;
+};
+
int
-__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
+__mac_set_file(struct proc *td, struct __mac_set_file_args *uap, register_t *ret)
{
struct label intlabel;
struct nameidata nd;
@@ -3965,7 +4023,7 @@
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
error = vn_setlabel(nd.ni_vp, &intlabel,
- td->td_ucred);
+ td->p_ucred);
vn_finished_write(mp);
}
@@ -4038,11 +4096,20 @@
return (error);
}
+#endif
+
/*
* MPSAFE
*/
+struct mac_syscall_args
+{
+ char *policy;
+ int call;
+ void *arg;
+};
+
int
-mac_syscall(struct thread *td, struct mac_syscall_args *uap)
+mac_syscall(struct proc *td, struct mac_syscall_args *uap, register_t *retv)
{
struct mac_policy_conf *mpc;
char target[MAC_MAX_POLICY_NAME];
@@ -4076,14 +4143,12 @@
out:
return (error);
}
-#endif /* !0 TBD/CDV*/
SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
#else /* !MAC */
-#if 0 /* TBD/CDV*/
int
__mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
{
@@ -4153,6 +4218,5 @@
return (ENOSYS);
}
-#endif /* !0 TBD/CDV*/
#endif /* !MAC */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#4 (text+ko) ====
@@ -63,7 +63,7 @@
typedef struct mac *mac_t;
-#ifndef _KERNEL
+#ifndef KERNEL
/*
* Location of the userland MAC framework configuration file. mac.conf
@@ -86,7 +86,7 @@
int mac_get_pid(pid_t _pid, mac_t _label);
int mac_get_proc(mac_t _label);
int mac_is_present(const char *_policyname);
-int mac_prepare(mac_t *_label, char *_elements);
+int mac_prepare(mac_t *_label, const char *_elements);
int mac_prepare_file_label(mac_t *_label);
int mac_prepare_ifnet_label(mac_t *_label);
int mac_prepare_process_label(mac_t *_label);
@@ -123,7 +123,9 @@
struct vattr;
struct vnode;
+#if 0
#include <sys/acl.h> /* XXX acl_type_t */
+#endif
struct vop_setlabel_args;
@@ -284,12 +286,16 @@
struct componentname *cnp, struct vattr *vap);
int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
+#if 0
int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
+#endif
int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct image_params *imgp);
+#if 0
int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
+#endif
int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio);
int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
@@ -313,8 +319,10 @@
int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, int samedir, struct componentname *cnp);
int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp);
+#if 0
int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
acl_type_t type, struct acl *acl);
+#endif
int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio);
int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list